.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.2. .TH YUBICO-PIV-TOOL "1" "August 2016" "yubico-piv-tool 1.4.2" "User Commands" .SH NAME yubico-piv-tool \- Yubico PIV tool .SH SYNOPSIS .B yubico-piv-tool [\fI\,OPTIONS\/\fR]... .SH DESCRIPTION yubico\-piv\-tool 1.4.2 .TP \fB\-h\fR, \fB\-\-help\fR Print help and exit .TP \fB\-\-full\-help\fR Print help, including hidden options, and exit .TP \fB\-V\fR, \fB\-\-version\fR Print version and exit .TP \fB\-v\fR, \fB\-\-verbose\fR[=\fI\,INT\/\fR] Print more information (default=`0') .TP \fB\-r\fR, \fB\-\-reader\fR=\fI\,STRING\/\fR Only use a matching reader (default=`Yubikey') .TP \fB\-k\fR, \fB\-\-key\fR[=\fI\,STRING\/\fR] Management key to use (default=`010203040506070801020304050607080102030405060708') .TP \fB\-a\fR, \fB\-\-action\fR=\fI\,ENUM\/\fR Action to take (possible values="version", "generate", "set\-mgm\-key", "reset", "pin\-retries", "import\-key", "import\-certificate", "set\-chuid", "request\-certificate", "verify\-pin", "change\-pin", "change\-puk", "unblock\-pin", "selfsign\-certificate", "delete\-certificate", "read\-certificate", "status", "test\-signature", "test\-decipher", "list\-readers", "set\-ccc", "write\-object", "read\-object", "attest") .IP Multiple actions may be given at once and will be executed in order for example \fB\-\-action\fR=\fI\,verify\-pin\/\fR \fB\-\-action\fR=\fI\,request\-certificate\/\fR .TP \fB\-s\fR, \fB\-\-slot\fR=\fI\,ENUM\/\fR What key slot to operate on (possible values="9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9") .IP 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) 9d is for Key Management 9e is for Card Authentication (PIN never checked) 82\-95 is for Retired Key Management .TP \fB\-A\fR, \fB\-\-algorithm\fR=\fI\,ENUM\/\fR What algorithm to use (possible values="RSA1024", "RSA2048", "ECCP256", "ECCP384" default=`RSA2048') .TP \fB\-H\fR, \fB\-\-hash\fR=\fI\,ENUM\/\fR Hash to use for signatures (possible values="SHA1", "SHA256", "SHA384", "SHA512" default=`SHA256') .TP \fB\-n\fR, \fB\-\-new\-key\fR=\fI\,STRING\/\fR New management key to use for action set\-mgm\-key .TP \fB\-\-pin\-retries\fR=\fI\,INT\/\fR Number of retries before the pin code is blocked .TP \fB\-\-puk\-retries\fR=\fI\,INT\/\fR Number of retries before the puk code is blocked .TP \fB\-i\fR, \fB\-\-input\fR=\fI\,STRING\/\fR Filename to use as input, \- for stdin (default=`\-') .TP \fB\-o\fR, \fB\-\-output\fR=\fI\,STRING\/\fR Filename to use as output, \- for stdout (default=`\-') .TP \fB\-K\fR, \fB\-\-key\-format\fR=\fI\,ENUM\/\fR Format of the key being read/written (possible values="PEM", "PKCS12", "GZIP", "DER", "SSH" default=`PEM') .TP \fB\-p\fR, \fB\-\-password\fR=\fI\,STRING\/\fR Password for decryption of private key file .TP \fB\-S\fR, \fB\-\-subject\fR=\fI\,STRING\/\fR The subject to use for certificate request .IP The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ .TP \fB\-\-serial\fR=\fI\,INT\/\fR Serial number of the self\-signed certificate .TP \fB\-\-valid\-days\fR=\fI\,INT\/\fR Time (in days) until the self\-signed certificate expires (default=`365') .TP \fB\-P\fR, \fB\-\-pin\fR=\fI\,STRING\/\fR Pin/puk code for verification .TP \fB\-N\fR, \fB\-\-new\-pin\fR=\fI\,STRING\/\fR New pin/puk code for changing .TP \fB\-\-pin\-policy\fR=\fI\,ENUM\/\fR Set pin policy for action generate or import\-key (possible values="never", "once", "always") .TP \fB\-\-touch\-policy\fR=\fI\,ENUM\/\fR Set touch policy for action generate, import\-key or set\-mgm\-key (possible values="never", "always", "cached") .TP \fB\-\-id\fR=\fI\,INT\/\fR Id of object for write/read object .TP \fB\-f\fR, \fB\-\-format\fR=\fI\,ENUM\/\fR Format of data for write/read object (possible values="hex", "base64", "binary" default=`hex') .SH EXAMPLES For more information about what's happening \-\-verbose can be added to any command. For much more information \-\-verbose=2 may be used. Display what version of the application is running on the YubiKey: yubico\-piv\-tool \-a version Generate a new ECC\-P256 key on device in slot 9a, will print the public key on stdout: yubico\-piv\-tool \-s 9a \-A ECCP256 \-a generate Generate a certificate request with public key from stdin, will print the resulting request on stdout: yubico\-piv\-tool \-s 9a \-S '/CN=foo/OU=test/O=example.com/' \-P 123456 \\ \-a verify \-a request Generate a self\-signed certificate with public key from stdin, will print the certificate, for later import, on stdout: yubico\-piv\-tool \-s 9a \-S '/CN=bar/OU=test/O=example.com/' \-P 123456 \\ \-a verify \-a selfsign Import a certificate from stdin: yubico\-piv\-tool \-s 9a \-a import\-certificate Set a random chuid, import a key and import a certificate from a PKCS12 file with password test, into slot 9c: yubico\-piv\-tool \-s 9c \-i test.pfx \-K PKCS12 \-p test \-a set\-chuid \\ \-a import\-key \-a import\-cert Import a certificate which is larger than 2048 bytes and thus requires compression in order to fit: openssl x509 \-in cert.pem \-outform DER | gzip \-9 > der.gz yubico\-piv\-tool \-s 9c \-i der.gz \-K GZIP \-a import\-cert Change the management key used for administrative authentication: yubico\-piv\-tool \-n 0807605403020108070605040302010807060504030201 \\ \-a set\-mgm\-key Delete a certificate in slot 9a: yubico\-piv\-tool \-a delete\-certificate \-s 9a Show some information on certificates and other data: yubico\-piv\-tool \-a status Read out the certificate from a slot and then run a signature test: yubico\-piv\-tool \-a read\-cert \-s 9a yubico\-piv\-tool \-a verify\-pin \-P 123456 \-a test\-signature \-s 9a Import a key into slot 85 (only available on YubiKey 4) and set the touch policy (also only available on YubiKey 4): yubico-piv-tool \-a import\-key \-s 85 \-\-touch-policy=always \-i key.pem